Cybersecurity

Foreign spying comes under new scrutiny from lawmakers

Washington policymakers are growing increasingly worried about the threat of high-tech foreign surveillance, a development complicated by U.S. spy agencies’ use of similar technologies.

Lawmakers are stepping up their demands for more information from the Trump administration about foreign efforts to spy on Americans’ cellphones.

The Senate last week passed a spending bill with a measure directing the Pentagon to disclose mobile device spying near U.S. military facilities.

And an annual intelligence community authorization bill moving through the upper chamber would force intelligence officials to report on whether vulnerabilities in the global telecommunications system enable foreign surveillance.

{mosads}

The developments reflect growing concern about the use of International Mobile Subscriber Identity catchers, commonly known as “Stingrays.” The spying devices mimic real cell towers, tricking mobile devices into sharing location data and in some cases communications.

The issue is clouded in sensitivity, given that U.S. law enforcement and intelligence agencies themselves use the technology.

Police have used Stingrays to track suspects and privacy advocates have long argued there should be more restrictions on their use.

But concerns about the threat to national security have heightened since April, when the Department of Homeland Security acknowledged possible unauthorized Stingray activity in Washington, D.C., last year, including around sensitive facilities like the White House.

Officials first disclosed the threat to Sen. Ron Wyden (D-Ore.), who has led the effort to get more information about foreign spying.

Those demands have been growing in recent weeks.

Wyden offered an amendment to a spending package requiring the Pentagon to provide the congressional Armed Services committees with a “full accounting” of cellphone-site simulator activity near military facilities over the last three years. It also directs the Pentagon to detail actions taken to protect military facilities, personnel and their families from foreign surveillance.

“Our men and women in uniform shouldn’t have to wonder if their calls and texts are being scooped up by foreign spies,” Wyden said in a statement, calling the provision “the absolute least we can do.”

The spending bill easily passed the Senate in an 86-5 vote.

Over in the House, lawmakers have been pressing national security officials to testify publicly on the threats posed by these devices.

However, Homeland Security declined to let officials testify before the House Science, Space and Technology Committee on Wednesday — spurring frustration from both parties. 

The department instead briefed the committee behind closed doors on its work to detect spying activity, but lawmakers said it was not enough.

“While this was helpful in giving some context to the matter, it was no substitute for a public discussion on such a serious issue,” said Rep. Ralph Abraham (R-La.), the chairman of the panel’s oversight subcommittee.

A Homeland Security spokesman explained that the department “does not have law enforcement or counterintelligence authorities to address these specific concerns,” and instead asked the committee to reach out to intelligence agencies.

Lawmakers did hear from academic experts and an official at the Commerce Department’s National Institute of Standards and Technology.

Those experts told lawmakers their concerns are justified.

“The federal government is the largest consumer of commercial wireless services and is susceptible to the same cybersecurity risks in our communications infrastructure,” Jonathan Mayer, a computer science professor at Princeton University, told the panel.

“A foreign intelligence service could easily use cell-site simulators to collect highly confidential information about government operations, deliberations and personnel movements,” Mayer added.

The concerns, though, extend beyond those spying devices themselves. Lawmakers are also worried about potential flaws in the global telecom system itself.

Last week, the Senate Intelligence Committee unanimously approved its 2019 Intelligence Authorization Act. The bill includes a provision directing the intelligence community to report on whether vulnerabilities in the cellular network enable foreign spying in the U.S. 

This includes vulnerabilities in Signaling System 7 (SS7), a global telecom standard that connects phone networks and allows them to swap call and text message data. SS7 was designed in the 1970s with little security, and experts have long warned that it is vulnerable to exploitation by spies.

A Homeland Security study released in April 2017 acknowledged “significant weaknesses” in SS7. “Gaining unauthorized access to the … network is a risk since there are tens of thousands of entry points worldwide, many of which are controlled by countries or organizations that support terrorism or espionage,” the study said.

Homeland Security disclosed to Wyden that officials have reports of “nefarious actors” exploiting SS7 security flaws to target Americans’ communications. 

Wyden has demanded action from the Federal Communications Commission (FCC) and U.S. phone companies to crack down on phone hacking threats.

He thinks regulators can do more and has accused FCC Chairman Ajit Pai of “stonewalling” his pleas for action.

But lawmakers themselves appear unsure of how to eliminate the threat.

Experts say it is difficult to tie such spying activity to specific groups.

Homeland Security said it did not attribute the activity it detected to any particular group, and that a subsequent investigation revealed that “some” of the detected signals came from legitimate cell towers.

The House Science, Space and Technology Committee is still trying to determine the “appropriate next steps” to tackle the issue, an aide to Abraham told The Hill.

Lawmakers are insistent they will keep pressing for answers from the administration.

“Ultimately, Dr. Abraham would like a solution that ensures Americans are protected from cybersecurity breaches,” the aide said.